Data Subject Rights: The 8 GDPR Rights Explained

The 8 GDPR data subject rights explained: access, erasure, portability, and more. See what each lets you do, the Article numbers, and the one-month response deadline.


by Riad Us Salehin • 4 July 2026


Data subject rights are the legal entitlements GDPR gives individuals, called data subjects, to control their personal data. They cover being informed, accessing data, correcting it, erasing it, restricting or objecting to its use, porting it, and avoiding solely automated decisions. Organizations must honor them within one month, free of charge.

Below: the 8 rights broken down one by one with their Article numbers, plus two more rights most lists skip. Then the response deadline and what it means if you run a website.

What Are Data Subject Rights?

A data subject is any identifiable individual whose personal data an organization processes. GDPR Chapter 3 (Articles 12 to 23) is where their rights live in the law. For the full scope of what GDPR is, see the guide. These rights exist to give individuals control over how organizations collect, use, and share their personal data.

They apply to anyone whose personal data an in-scope organization processes. That includes a customer, an employee, a website visitor, or a former user, not just people with an active account. The organization processing the data is the data controller, the party legally responsible for responding when someone exercises a right.

The 8 Data Subject Rights Under GDPR (Articles 12 to 22)

GDPR grants eight core rights, each tied to specific Articles. The table below maps each right to its Article number, what it lets you do, and a real-world example.

RightGDPR ArticleWhat It Lets You DoExample
Right to Be InformedArticles 13 to 14Know who is collecting your data, why, and how it will be usedA clear privacy notice appears at sign-up
Right of AccessArticle 15Get confirmation your data is being processed and a copy of itYou ask a former employer for your personnel file
Right to RectificationArticle 16Have inaccurate or incomplete data correctedYou fix a wrong address on file
Right to Erasure (Right to Be Forgotten)Article 17Have your data deleted in defined cases, including when you withdraw the consent it relied onYou delete an old account you no longer use
Right to Restrict ProcessingArticle 18Freeze the use of your data in certain situationsProcessing pauses while you dispute inaccurate data
Right to Data PortabilityArticle 20Receive your data in a machine-readable format and move it elsewhereYou export your data to a competing service
Right to ObjectArticle 21Object to processing, including a clear opt-out of direct marketingYou stop marketing emails from a company
Rights Related to Automated Decision-MakingArticle 22Avoid being subject to a solely automated decision with legal or significant effects, including profilingYou request human review of an automated loan refusal

1. The Right to Be Informed (Articles 13 to 14)

The right to be informed means you get to know who collects your data, why, and how it is used. This happens before or at the point of collection. Articles 13 and 14 set out exactly what an organization must disclose, whether it collected the data directly from you or from another source.

A clear privacy notice at sign-up is the most common way organizations meet this obligation. The notice must name the organization, the purpose of processing, the legal basis, and how long the data will be kept.

2. The Right of Access (Article 15)

The right of access lets you get confirmation that an organization is processing your data and receive a copy of it. This is the right people most often exercise through a formal request, commonly called a data subject access request, or DSAR.

Asking a former employer for your personnel file is a typical example. The organization must also tell you the purpose of processing, who else has received your data, and how long it will be retained.

3. The Right to Rectification (Article 16)

The right to rectification lets you have inaccurate or incomplete personal data corrected. Article 16 covers both fixing wrong data and completing data that is missing.

Fixing a wrong address on record is a simple, common case. Organizations must act on a rectification request within the same one-month deadline that applies to every other right.

4. The Right to Erasure / Right to Be Forgotten (Article 17)

The right to erasure, also called the right to be forgotten, lets you have your data deleted in defined cases. Those cases include when the data is no longer necessary, or when you withdraw the consent it relied on. Objecting with no overriding legitimate ground also qualifies, as does unlawfully processed data.

Deleting an old account you no longer use is the clearest example. This right is qualified, not absolute. An organization can decline erasure to comply with a legal obligation, defend a legal claim, or fulfill a public-interest task. For the full set of grounds and exceptions, see the right to be forgotten.

5. The Right to Restrict Processing (Article 18)

The right to restrict processing lets you freeze the use of your data without deleting it outright. Article 18 applies while a dispute or verification is pending, such as when you contest the accuracy of data an organization holds.

Processing pauses during a dispute over accuracy is the standard use case. The organization can still store the data; it just cannot use it for anything else until the restriction lifts.

6. The Right to Data Portability (Article 20)

The right to data portability lets you receive your data in a structured, commonly used, machine-readable format and move it to another provider. Article 20 applies when the data was provided by you and the processing relies on consent or a contract.

Exporting your data to a competing service is the practical example. A user switching email providers takes their contacts and messages along instead of starting from zero.

7. The Right to Object (Article 21)

The right to object lets you object to processing based on legitimate interests or public tasks. It also gives you an absolute, unconditional opt-out of direct marketing. Article 21 requires organizations to stop direct marketing the moment you object, with no balancing test.

Stopping marketing emails from a company is the everyday version of this right. For other grounds, the organization can continue processing only if it demonstrates compelling legitimate grounds that override your interests.

8. Rights Related to Automated Decision-Making (Article 22)

This right protects you from decisions based solely on automated processing, including profiling, when those decisions carry legal or similarly significant effects. Article 22 gives you the right to request human review, express your point of view, and contest the decision.

Requesting human review of an automated loan refusal is the classic example. The right does not ban automated decisions outright; it bans making them without a human safeguard when the stakes are high enough.

Two More Rights GDPR Gives You: Withdraw Consent and Complain

Most "8 rights" lists stop at Article 22, but GDPR grants two more rights that matter just as much in practice.

The first is the right to withdraw consent, under Article 7(3). Where consent is the legal basis for processing, you can withdraw it at any time. GDPR requires that withdrawing be as easy as giving it was.

Withdrawing consent does not undo processing that already happened lawfully. It can also trigger the right to erasure under Article 17, since consent withdrawal is one of the recognized grounds for deletion.

The second is the right to lodge a complaint with a supervisory authority, under Article 77. If an organization mishandles your request, ignores the deadline, or refuses it without a valid reason, you can complain to your national data protection authority. That path exists instead of, or alongside, pursuing the organization directly.

How Long Does a Company Have to Respond to a Request?

Organizations must respond to a data subject rights request without undue delay, and within one month of receiving it. That deadline can extend by up to two further months for complex or numerous requests. The organization must tell you within the first month that more time is needed.

Responses are free of charge. The only exception is a request that is manifestly unfounded or excessive, particularly because of its repetitive nature. In that case the organization may charge a reasonable administrative fee or decline to act. It must be able to demonstrate why the request qualifies.

How Are Data Subject Rights Different From a DSAR?

Data subject rights are the entitlements GDPR grants. A DSAR is the request a person sends to exercise one of them, most often the right of access. The rights exist whether or not anyone ever invokes them; a DSAR is the specific act of invoking one.

In the UK, the same request is usually called a subject access request, or SAR, the same thing under a different name.

The 8 rights are also frequently confused with the 7 GDPR principles. The rights are what individuals can do. The principles, set out in Article 5, are the rules organizations must follow when they process data in the first place.

Data minimization and purpose limitation are two examples. For the mechanics of making or handling an access request specifically, see a DSAR.

What Data Subject Rights Mean for Website Owners

If you run a website that collects personal data, you have three obligations. Tell visitors about their rights and how to use them. Have a working way to receive and act on requests within the deadline. Where you rely on consent, such as for cookies and trackers, let visitors withdraw it as easily as they gave it.

Most individual rights, including access, erasure, and portability, run through a documented process and a clear contact point rather than a single piece of software. The one right a consent platform directly operationalizes is the right to withdraw consent, through the banner itself and the records it keeps.

  • Tell visitors about their rights in a privacy policy they can actually find
  • Set up a way to receive, verify, and respond to requests inside the one-month deadline
  • Let visitors withdraw cookie consent as easily as they gave it

For the full compliance checklist, see how to make your website GDPR compliant. The consent-banner side of this specifically follows GDPR cookie consent rules. Similar obligations show up across other data privacy laws worldwide.

US visitors are not covered by GDPR's rights by default. Instead they typically get a do not sell my personal information opt-out under state laws like the CCPA.

How Consently Helps You Honor Consent and Privacy Requests

Consently is a consent management platform, not a data-subject-rights fulfillment system. Its honest connection to this topic is narrower than a generic "handles data subject rights" claim. It operationalizes the right to withdraw consent and supports the right to be informed, and it stops there by design.

The Cookie Banner and its preference-center revisit button let visitors withdraw cookie consent as easily as they gave it, the exact standard Article 7(3) requires. A visitor who accepted cookies on their first visit gets the same one-click path to change their mind later. No hunting for a settings page or emailing support.

Consent Logs then keep a timestamped, exportable record of when consent was given or withdrawn. That is the audit trail you need if a regulator or a visitor ever asks for proof of what was agreed to and when.

The Privacy Policy Generator produces the disclosure that tells visitors what you collect and how to exercise their rights. It supports the right to be informed with an actual published policy, not a placeholder page.

Consently does not receive, route, or fulfill access, erasure, or portability requests on your behalf. Those stay a documented process on your side, typically a support inbox and a written procedure your team follows within the one-month deadline.

Where Consently does help is the narrower, cookie-specific slice of that obligation: giving visitors an easy way to withdraw consent and proving that they did. See how Consently handles GDPR cookie consent for the part it does cover.

FAQs

What are the 8 data subject rights under GDPR?

The 8 rights are to be informed, of access, to rectification, to erasure, to restrict processing, to data portability, to object, and automated decision-making rights. GDPR Articles 12 to 22 set them out in full. Two further rights, withdrawing consent and lodging a complaint, extend the list beyond the canonical eight.

What is a data subject?

A data subject is any identifiable living individual whose personal data an organization processes. That includes customers, employees, website visitors, and former users, not just people with an active account.

Are data subject rights free to exercise?

Yes, exercising a data subject right is free of charge. The only exception is a request that is manifestly unfounded or excessive, where the organization may charge a reasonable administrative fee or decline to act.

How long does a company have to respond to a request?

A company must respond within one month of receiving a request. That deadline can extend by up to two further months for complex or numerous requests. The individual must be told within the first month.

Do US residents have data subject rights?

Not under GDPR, unless the business falls within GDPR's territorial scope by targeting or monitoring people in the EU. US residents typically get analogous rights instead, such as a do not sell my personal information opt-out under state laws like the CCPA. A wider set of data privacy laws varies by state.

Is the right to be forgotten absolute?

No, the right to be forgotten is qualified, not absolute. An organization can decline erasure to comply with a legal obligation, defend a legal claim, or complete a task in the public interest. The full list of grounds and exceptions is covered in the dedicated right to be forgotten guide above.

Can I withdraw cookie consent after I accept it?

Yes. The right to withdraw consent means it must be as easy to withdraw as it was to give. That usually works through a revisit button or preference-center link on the site where you originally consented.

What is the difference between data subject rights and the 7 GDPR principles?

Data subject rights are what individuals can do, such as requesting access or erasure. The 7 GDPR principles are the rules organizations must follow when processing data in the first place, such as data minimization and accuracy. The principles exist independently of whether anyone exercises a right.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.